stackrox · Maddosaurus · Feb 2, 2023 · Feb 1, 2023 · Feb 1, 2023 · Feb 1, 2023
diff --git a/deploy/README.md b/deploy/README.md
@@ -18,13 +18,14 @@ $ LOAD_BALANCER=route ./deploy/openshift/deploy.sh
 
 Most environment variables can be found in [common/env.sh](common/env.sh).
 
-| **Name**           | **Values**            | **Description**                                                                                                                                                            |
-|--------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| `COLLECTION_METHOD`  | `ebpf`  \| `kernel-module` | Set the collection method for collector.                                                                                                                                   |
-| `HOTRELOAD`          | `true`  \| `false`         | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop.  Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 |
-| `LOAD_BALANCER`      | `route` \| `lb`            | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes.                                                 |
-| `MAIN_IMAGE_TAG`     | `string`                   | Configure the image tag of the `stackrox/main` image to be deployed.                                                                                                       |
-| `MONITORING_SUPPORT` | `true`  \| `false`         | Enable StackRox monitoring.                                                                                                                                                |
-| `REGISTRY_USERNAME`  | `string`                   | Set docker registry username to pull the docker.io/stackrox/main image. |
-| `REGISTRY_PASSWORD`  | `string`                   | Set docker registry password to pull the docker.io/stackrox/main image.  |
-| `STORAGE`            | `none`  \| `pvc`           | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`.                                                |
+| **Name**                | **Values**            | **Description**                                                                                                                                                            |
+|-------------------------|-----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
+| `COLLECTION_METHOD`     | `ebpf`  \| `kernel-module` | Set the collection method for collector.                                                                                                                                   |
+| `HOTRELOAD`             | `true`  \| `false`         | `HOTRELOAD` mounts Sensor and Central local binaries into locally running pods. Only works with docker-desktop.  Alternatively you can use ./dev-tools/enabled-hotreload.sh. Note however that this will break the linter: https://stack-rox.atlassian.net/browse/ROX-6562 |
+| `LOAD_BALANCER`         | `route` \| `lb`            | Configure how to expose Central, important if deployed on remote clusters. Use `route` for OpenShift, `lb` for Kubernetes.                                                 |
+| `MAIN_IMAGE_TAG`        | `string`                   | Configure the image tag of the `stackrox/main` image to be deployed.                                                                                                       |
+| `MONITORING_SUPPORT`    | `true`  \| `false`         | Enable StackRox monitoring.                                                                                                                                                |
+| `MONITORING_ENABLE_PSP` | `true` \| `false`          | Generate PodSecurityPolicies for monitoring. Defaults to `false`, as PSPs were deprecated in k8s 1.25. |
+| `REGISTRY_USERNAME`     | `string`                   | Set docker registry username to pull the docker.io/stackrox/main image. |
+| `REGISTRY_PASSWORD`     | `string`                   | Set docker registry password to pull the docker.io/stackrox/main image.  |
+| `STORAGE`               | `none`  \| `pvc`           | Defines which storage to use for the Central database, to preserve data between Central restarts it is recommended to use `pvc`.                                                |
diff --git a/...toring/templates/pod-security-policy.yaml → ...toring/templates/pod-security-config.yaml b/...toring/templates/pod-security-policy.yaml → ...toring/templates/pod-security-config.yaml
@@ -1,11 +1,12 @@
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
   labels:
     app.kubernetes.io/name: stackrox
     app: monitoring
 rules:
+{{- if .Values.enableMonitoringPSPs }}
   - apiGroups:
       - policy
     resources:
@@ -14,6 +15,7 @@ rules:
       - stackrox-monitoring
     verbs:
       - use
+{{- end }}
   - apiGroups: [""]
     resources:
       - endpoints
@@ -25,20 +27,21 @@ rules:
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
   namespace: {{ .Release.Namespace }}
   labels:
     app.kubernetes.io/name: stackrox
     app: monitoring
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: stackrox-monitoring-psp
+  name: stackrox-monitoring
 subjects:
   - kind: ServiceAccount
     name: monitoring
     namespace: {{ .Release.Namespace }}
 ---
+{{- if .Values.enableMonitoringPSPs }}
 apiVersion: policy/v1beta1
 kind: PodSecurityPolicy
 metadata:
@@ -75,3 +78,4 @@ spec:
     ranges:
       - min: 4000
         max: 4000
+{{- end }}
diff --git a/deploy/charts/monitoring/values.yaml b/deploy/charts/monitoring/values.yaml
@@ -37,3 +37,5 @@ alertmanager:
       group_by: [alertname]
   configmapReload:
     enabled: true
+
+enableMonitoringPSPs: ${MONITORING_ENABLE_PSP}
diff --git a/deploy/common/env.sh b/deploy/common/env.sh
@@ -21,6 +21,9 @@ echo "ROX_HTPASSWD_AUTH set to $ROX_HTPASSWD_AUTH"
 
 echo "MONITORING_SUPPORT set to ${MONITORING_SUPPORT}"
 
+export MONITORING_ENABLE_PSP=${MONITORING_ENABLE_PSP:-false}
+echo "MONITORING_ENABLE_PSP set to ${MONITORING_ENABLE_PSP}"
+
 export CLUSTER=${CLUSTER:-remote}
 echo "CLUSTER set to $CLUSTER"